[BreachExchange] NAB sends details of 60, 000 customers to adult website owner

[Audrey McNeil]

http://www.afr.com/business/banking-and-finance/financial-
services/nab-sends-details-of-65000-customers-to-adult-
website-owner-20170109-gto2ta

NAB has sent the personal details of 60,000 clients to a domain name
squatter and adult website owner in a bungle that could have compromised
the security of its customers and threaten its reputation.

The Australian Financial Review understands that an error during a routine
electronic direct mail-out to its migrant banking customers, which was
first revealed by the bank in December, saw the information emailed to an
address associated with David Weissenberg of Real Assets Limited.

Mr Weissenberg and his company own hundreds of domain names including
sexpornhost.com, porncocktail.com, liveteendreams.com, supersleazy.com,
welovenakedgirls.com and adultorientatedmaterial.com.

Mr Weissenberg and Real Assets gained notoriety in the early 2000s for
registering the domain name shit.com. He capitalised on the subsequent
media attention by redirecting the traffic to a website hosting adult
content.

Mr Weissenberg's company is registered in the British Virgin Islands. The
Financial Review attempted to reach Mr Weissenberg for comment but was
unsuccessful.

NAB's executive general manager for international branches Peter Coad said
that the bank was working with Mr Weissenberg to ensure the security of
customers affected by the breach.

He said Mr Weissenberg had been very helpful and that discussions with him
had been productive.

"We understand that the email address to which the correspondence was
incorrectly sent is not actively used and our customers' emails have not
been wrongfully used," Mr Coad told the AFR.

"Although this has been a complex process involving multiple international
jurisdictions, all parties – including the email account owner – are taking
this extremely seriously and NAB is working hard to resolve this matter."

Mr Weissenberg and his company own the domain name www.nab.com and
www.nab.net. The domain www.nab.com is currently hosting a dating website.

The Financial Review understands the bank has been in discussions with Mr
Weissenberg on and off over the years about the domain name which he
acquired in 1994. The lease for the domain is not due to be renewed until
2023.

Among the information leaked in the mail-out were client names, BSB
numbers, account numbers and NAB identification numbers. Passwords were not
included in the mail-out.

NAB began trying to untangle the debacle in December when it filed a motion
against Google in a Northern Californian Court. Google hosts the server
where the email was sent and typically requires motions to be filed before
it co-operates with requests for data.

Statements made by Mr Coad and cybersecurity expert Ashim Kapur of Stroz
Friedberg have been sealed at the request of the bank. The case was
dismissed at NAB's request on December 30.

A spokesman for the bank said it was continuing to work with multiple
stakeholders on securing the data. A team was monitoring the accounts
affected in the security breach and had not identified any unusual activity
to date.

"We take full responsibility and have apologised to our migrant banking
customers and assure them that we are working hard to improve and
strengthen our processes to make sure this doesn't happen again," the
spokesman said.

NAB confirmed the security breach on December 16. It said the error related
to customers who set up accounts between 2012 and 2016. The person
responsible for the mistake is no longer with the company.

NAB says that 19,000 of the accounts hold $2 or less and that 40 per cent
of those affected have either closed their accounts or not used them.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170109/a866dc40/attachment.html>